QR codes in payments: How to avoid quishing

Transactions continue to become simpler and more focussed as payment technology is developed with more of a focus on customer centricity.

At the same time, consumers are becoming more comfortable working with the latest developments in technology.

QR codes can make payments fast and efficient, whether that’s in retail, dining, or making a charitable donation. 

We also see QR codes being used for unattended payments like at a car parks, meaning any customer with a smart phone can make a quick and convenient payment. See below for more details on where QR  

Brian Kinsella, Senior Regional Fraud Manager at Elavon Europe, said: “Simplifying the payment process can unfortunately result in unexpected risks that can be equally simple in their execution. 

“Fraudsters take advantage of that simplification, redirecting unwitting customers to a fake payments page where their details are stolen.

“Examples of this scam are seen across the globe, and it is a clearly growing concern.”

“Thankfully there are a few simple steps to take to reduce the chances of falling victim to this kind of crime.” 

Known as QR Phishing or “Quishing”, fraudsters cover the genuine QR code with their own QR code. This redirects customers to a fake payments page which is used to harvest their card details.

These details are used to commit further fraud elsewhere. 

By taking these steps we can continue to reduce the risk of fraud, keep customer data safe, and drive trust in your business.  

For consumers, the UK’s National Cyber Security Centre suggests people use a phone’s inbuilt QR-scanner rather than downloading an app. It warns people to be wary of QR-codes sent in emails.

There are two main types of QR codes:

Static codes contain fixed information which cannot be changed once it has been generated. They might be used to direct to a website, share a Wi-fi password, or provide contact details. Static codes don’t need the user to be connected to the internet because all the information is contained in the code. Unless it’s being used to direct people to a website.

Dynamic codes embed a short URL in the code, directing users to a website. This can be altered after the code has been created. Because dynamic codes always direct users to a website, users have to be connected to the internet to be able to use. Dynamic codes are easier for devices to read and can also be used to collect data such as how often a code has been scanned, what times of day or what kind of device was used.

A digital dynamic QR code, as suggested above as a safer alternative, is a dynamic QR code on a screen. If a fraudster was to cover the screen with a sticker, it would be much more obvious to a consumer. Dynamic codes also provide data, such as how often it is being scanned, meaning you can see if there is a sudden drop in usage.
 

Where might you see QR codes for payments?

QR codes have been around since the 1990s but their use in the payments industry really took off during the Covid pandemic, particularly in the hospitality industry.

Today you can find them in a wide variety of businesses, driven by the widespread adoption of mobile technology and consumers’ increased comfort in embracing technology developments.

Pay-at-table in restaurants 

A QR code is printed on a receipt or placed on the table. Diners scan the code to see their bill and pay from their phone, reducing queues and speeding up the transaction.

Food and drink ordering

At quick-serve restaurants, cafés and even pubs, a QR code leads customers to a menu where they can order and pay, either at a table or a kiosk. 

Ticketing 

QR codes are commonly used as proof of payment for tickets. The QR code is then used to gain entry to a gig or to be scanned by a ticket collector on a train.

Retail in‑store payments

Retailers can display a QR code at checkout for customers to scan and then pay using a mobile wallet or banking app. This is particularly useful for pop-ups or smaller retailers where it’s tricky to use more traditional POS devices.

Parking  

Many people will be familiar with QR codes when having to pay for parking. Drivers scan the code, enter their vehicle details, and pay digitally, either in-app or on a ecommerce website. It saves the business having to handle cash and is convenient for customers.